US8407335B1 - Log message archiving and processing using a remote internet infrastructure - Google Patents

Log message archiving and processing using a remote internet infrastructure Download PDF

Info

Publication number
US8407335B1
US8407335B1 US12/141,202 US14120208A US8407335B1 US 8407335 B1 US8407335 B1 US 8407335B1 US 14120208 A US14120208 A US 14120208A US 8407335 B1 US8407335 B1 US 8407335B1
Authority
US
United States
Prior art keywords
aggregate
data center
priority
log messages
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US12/141,202
Inventor
Christopher A. Church
Paul Fisher
Eugene Golovinsky
Pavel S Trakhtman
Mikhail Govshteyn
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alert Logic Inc
Original Assignee
Alert Logic Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alert Logic Inc filed Critical Alert Logic Inc
Priority to US12/141,202 priority Critical patent/US8407335B1/en
Assigned to ALERT LOGIC, INC. reassignment ALERT LOGIC, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHURCH, CHRISTOPHER A., FISHER, PAUL, GOLOVINSKY, EUGENE, GOVSHTEYN, MIKHAIL, TRAKHTMAN, PAVEL
Application granted granted Critical
Publication of US8407335B1 publication Critical patent/US8407335B1/en
Assigned to SQUARE 1 BANK, AS AGENT reassignment SQUARE 1 BANK, AS AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALERT LOGIC, INC.
Assigned to PACIFIC WESTERN BANK reassignment PACIFIC WESTERN BANK SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALERT LOGIC, INC.
Assigned to ALERT LOGIC, INC. reassignment ALERT LOGIC, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: PACIFIC WESTERN BANK
Assigned to GOLUB CAPITAL MARKETS LLC, AS COLLATERAL AGENT reassignment GOLUB CAPITAL MARKETS LLC, AS COLLATERAL AGENT SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: ALERT LOGIC, INC.
Assigned to JEFFERIES FINANCE LLC, AS COLLATERAL AGENT reassignment JEFFERIES FINANCE LLC, AS COLLATERAL AGENT FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: ALERT LOGIC, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • G06F11/3082Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting the data filtering being achieved by aggregating or compressing the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0709Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a distributed system consisting of a plurality of standalone computer nodes, e.g. clusters, client-server systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0787Storage of error reports, e.g. persistent data storage, storage using memory protection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems

Definitions

  • This invention relates generally to the field of log message analysis and archiving and processing.
  • Computer systems utilized for business system generate messages which audit user access, service errors, and other critical information about the operation of the systems. These messages are recorded in a log, managed by the computing system and therefore called log messages. Traditionally log messages are recorded to files on the local file system, or in the case of syslog enabled systems, can be redirected and stored on the local file system of separate system. Computing systems based on Microsoft Windows record log messages to the local file system via the Windows Event Log.
  • PCI DSS Payment Card Industry Data Security Standard
  • SOX Sarbanes-Oxley Act
  • HIPAA Health Insurance Portability and Accountability Act
  • GLBA Gramm-Leach-Bliley Act
  • a log collection appliance is co-located on a network and connected via the internet to a centralized data center for processing and long-term archiving.
  • the servers, routers, switches and other network elements on the network are configured to direct log message traffic to the co-located appliance, allowing the appliance to buffer, prioritize and transmit a packetized representation of the log messages to the data center.
  • the word “aggregate” is used interchangeably with the word “packet”.
  • the data center may analyze the log messages for regulatory compliance or customer-specified policy related incidents and archive the messages and information for long term storage.
  • the data transmission is managed such that only the available bandwidth is utilized for transmission of log message packets or log message aggregates, so as not to interfere with the normal operation of the network.
  • the contents of each log message packet or log message aggregate are highly compressed using a lossless compression algorithm to a ratio of at least 10-to-1 to minimize the communications bandwidth utilized for large number of log messages.
  • Each packet or aggregate containing log messages is signed using a cryptography secure digital signature algorithm to insure the integrity of the log messages as they are processed and archived in the data center.
  • access to the processing and archive information is provided via a web application accessible from any computer connected to the internet. Incidents and archived log messages information are presented to the customer.
  • Embodiments disclosed herein make use of the fact that inexpensive public internet communications bandwidth and advanced cryptography capabilities are ubiquitously available today, and further that the majority of this communications bandwidth goes unused for some significant portion of each day.
  • Embodiments disclosed herein offer an easy way for organizations to solve compliance and security challenges by delivering log management capabilities in an on-demand model.
  • SaaS Software as a Service
  • a SaS architecture enables users to pay for the services used without any additional computing costs.
  • customers are spared from the capital investment, staff expense and operational complexity involved in managing the enormous volume of data represented by log messages generated from their compliance relevant computing systems. They are able to leverage the reliable, secure and geographically dispersed infrastructure at a fraction of the cost to development, deploy and maintain a log management solution using techniques available on the market today
  • a hardened distributed data center environment may be utilized to meet the secure long-term archiving dictated by current compliance regulations. For small to mid-sized enterprises, the deployment of such a computing infrastructure would exceed, or at least approach a significant proportion of, their current investment in computing systems which run their primary business operations. All processing, analysis, reporting and archiving are performed using a shared computing infrastructure. Thus, the costs normally placed on each customer to set up a processing and archiving infrastructure may be shared by many customers, and in a secure and reliable fashion.
  • FIG. 1 depicts an architectural diagram of one embodiment of a system for log message processing using a remote Internet infrastructure
  • FIG. 2 depicts an illustration of one embodiment of a storage medium including software code having instructions in accordance with one embodiment
  • FIG. 3 depicts a flow chart of one embodiment of a method for remote archiving and processing of log messages
  • FIG. 4 depicts a block diagram of one embodiment of a system for log message processing using a remote internet infrastructure
  • FIG. 5 depicts one embodiment of an interface used with a web portal.
  • the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion.
  • a process, product, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, article, or apparatus.
  • “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
  • any examples or illustrations given herein are not to be regarded in any way as restrictions on, limits to, or express definitions of, any term or terms with which they are utilized. Instead these examples or illustrations are to be regarded as being described with respect to one particular embodiment and as illustrative only. Those of ordinary skill in the art will appreciate that any term or terms with which these examples or illustrations are utilized encompass other embodiments as well as implementations and adaptations thereof which may or may not be given therewith or elsewhere in the specification and all such embodiments are intended to be included within the scope of that term or terms. Language designating such non-limiting examples and illustrations includes, but is not limited to: “for example,” “for instance,” “e.g.,” “in one embodiment,” and the like.
  • FIG. 1 illustrates one embodiment of a system for processing log messages.
  • components including, but not limited to, data center 100 , network 102 , network 104 , users 106 , firewall 108 , computing devices 110 , switches 112 , servers 114 , appliance 116 , and router 118 can cooperate to process log messages.
  • the system includes appliance 116 and data center 100 , each coupled to network 104 .
  • Other appliances may also be coupled to network 102 or network 104 .
  • Network 102 may be an intranet, a private network, a WAN, a LAN, etc.
  • Network 104 may be a public network such as the Internet.
  • Firewall 108 may control access to router 118 and computing devices 110 .
  • Appliance 116 may be located on network 102 behind firewall 108 . Appliance 116 may communicate with devices such as firewall 108 , servers 114 , computing devices 110 , routers 118 , and switches 112 on network 102 to collect log messages generated by users 106 or any of the devices.
  • Computing devices 110 may include laptop computers, personal computers, personal digital assistants, cellular phones, etc.
  • Appliance 116 may be a desktop computer, a laptop computer, a workstation, or nearly any other device capable of receiving, processing, filtering, packetizing, compressing, encrypting, or sending log messages over network 104 to data center 100 .
  • appliance 116 may be an application residing at one or more of the devices located on network 102 .
  • appliance 116 may be an application running on server 114 , may have a portion running on firewall 108 and another portion running on router 118 , etc.
  • appliance 116 can include a central processing unit (“CPU”), read-only memory (“ROM”), random access memory (“RAM”), a hard drive (“HD”), and input/output devices.
  • CPU central processing unit
  • ROM read-only memory
  • RAM random access memory
  • HD hard drive
  • Read only memory, random access memory, and hard drive memory of appliance 116 can include media that can be read by the central processing unit and other processors or machines. Therefore, each of these types of memories may include a computer-readable medium. These memories may be internal or external to appliance 116 .
  • Data center 100 may include analysis devices 120 , processing devices 122 , and data retention devices 124 for receiving, processing, and archiving log messages. Analysis devices 120 , processing devices 122 , and data retention devices 124 can also have a CPU, ROM, RAM, and HD, either collectively or individually.
  • Data center 100 may include portal 500 for access by users 106 via network 104 such that log messages or data associated with the analysis of the log messages may be accessed.
  • web portal 500 may provide an interface for remote access.
  • remote access may include configuring appliance 116 , data retention devices 124 , analysis devices 120 , and/or processing devices 122 . Remote access may include configuring criteria for determining what log messages are stored, how many queues are created, the size of the packets, and the like.
  • FIG. 2 illustrates a combination of software code elements 244 , 246 and 248 that may be embodied within computer-readable medium 218 on hard drive 250 in appliance 116 .
  • the instructions may be stored as software code elements on a DASD array, magnetic tape, floppy diskette, optical storage device, or other computer-readable medium or storage device.
  • the computer-readable instructions may be lines of compiled C ++ , Java, or other language code.
  • a filtering application may reside on a single appliance 116 .
  • a packetizing application may be stored in the same appliance 116 .
  • a set of computer-executable instructions in an embodiment may be contained on a data storage device, such as hard drive 250 of appliance 116 .
  • embodiments disclosed herein include methods for providing log message processing.
  • processing may include archiving, compliance processing, systems management, or other types of processing.
  • Embodiments may offer log message processing through a Software as a Service (SaaS) delivery platform.
  • Appliance 116 may receive log messages collected using the Syslog, MSRPC, or other protocols.
  • Appliance 116 may filter the messages into transmission priority queues, packetize the messages based on the priority.
  • Appliance 116 may securely transmit the packets to data center 100 for processing in accordance with customer desires, requirements, regulatory compliance, etc.
  • FIG. 3 depicts a flow diagram for one method for processing log messages.
  • log messages may be collected from computing devices on network 102 and stored in conjunction with appliance 116 .
  • access to Microsoft Windows log messages may be provided by remotely accessing the Windows Event Log using the Microsoft Remote Procedure Call (MSRPC).
  • MSRPC Microsoft Remote Procedure Call
  • a customer may configure firewall 108 , servers 114 , computing devices 110 , routers 118 and switches 112 to send log messages to appliance 116 .
  • Appliance 116 may store a set of computer-executable instructions operable to receive log messages from computing devices 110 , servers 114 , switches 112 , firewall 108 , users 106 , routers 118 , or other devices located on network 102 .
  • Log messages may be sent according to the syslog protocol.
  • RFC 3164 describes aspects of the syslog protocol.
  • Appliance 116 may store collected log messages in a buffer, discussed below.
  • collecting log messages may include translating the log messages using Dynamic Link Libraries (DLLs).
  • DLLs Dynamic Link Libraries
  • appliance 116 may utilize a set of message content rules to filter the log messages into priority queues or discard messages not designated for retention.
  • three priority queues may be used, although any number of priority queues may be established by a user.
  • the priority queues may be based on users 106 , servers 114 , computing devices 110 , firewall 108 , switches 112 or router 116 .
  • a log message generated from a particular server 114 may have a higher priority than another server 114 .
  • a log message generated by a selected user 106 may be designated a higher priority than a log message generated by another user 106 .
  • a log message generated from outside firewall 108 may have a higher priority rating than a log message generated from inside firewall 108 .
  • the priority queues may be prioritized as high, medium or low.
  • the priority queues may have a numerical prioritization such as 1-5. Those skilled in the art will appreciate that other prioritization formats may be utilized.
  • the filtered and prioritized log messages may be stored in queues in appliance 116 .
  • appliance 116 may packetize the messages from one or more priority queues. Packetization may be based on the bandwidth of the network 104 available for communicating with data center 100 or the packetization algorithm. The bandwidth policy and packetization algorithm may independently affect the size of the packets, or may interact to affect the size of the packets.
  • a bandwidth transmission policy may be a set of limits specifying the bandwidth limit appliance 116 is permitted to utilize.
  • the bandwidth limit may be specified as a number of bytes per second or some other criterion.
  • the set of limits may be composed of non-overlapping time frames, with each time frame having an associated bandwidth limit.
  • a default bandwidth may be in effect when no bandwidth limit has been specified.
  • the packet size may be larger to accommodate more log messages or more packets may be sent. By packetizing the messages based on the available bandwidth, interference with day-to-day operations of the network or devices on the network may be reduced.
  • Table 1 depicts a sample bandwidth transmission policy. In Table 1, a first (default) bandwidth limit is set at 1500 Kbps, a second bandwidth limit is set at 200 Kbps between 0600-1800 hours, and a third bandwidth limit is set at 700 Kbps between 1800-2100 hours.
  • appliance 116 may follow a packetization algorithm to generate packets of log messages for transport. As log messages arrive at appliance 116 , they can be sorted into transmission priority queues based on a prioritization policy, such as in step 320 . Appliance 116 may utilize a packetization algorithm to select log messages from the various queues based on the priority of the log message, and fill packets to the configured size limit.
  • Table 2 depicts one embodiment of a packetization algorithm that may be used by appliance 116 to packetize log messages.
  • a queue when appliance 116 selects the highest priority queue, a queue may be skipped if the queue was exhausted, or may be skipped on each subsequent execution until the lowest priority queue is exhausted on the last execution of the algorithm, the queue is skipped for a priority-specific time period or the contents of the queue would fill more than half the contents of the size limits of packets.
  • Embodiments may also allow a user to designate rules for packetizing. For example, a user may establish criteria such that all high priority log messages are packetized and sent from appliance 116 to data center 100 immediately, regardless of bandwidth. A user may establish criteria such that medium priority log messages are sent only during selected hours, or when the bandwidth is at a selected level. A user may establish criteria such that low priority log messages are sent only during selected hours, only when the bandwidth is at its highest level, or some other criteria. Thus, a user is able to designate criteria that enable embodiments to optimize the transmission of information to ensure higher priority messages are received timely, but without decreasing transmission rates (or increasing bandwidth costs) due to the transmission of lower priority messages. It will be apparent that a wide variety of criteria may be utilized by a user to designate these types of rules.
  • appliance 116 may compress the packets.
  • the compression of the log message data may be performed using the bzip2 algorithm [BZIP2].
  • appliance 116 may encrypt each packet before sending the packet over network 104 .
  • the SHA-256 algorithm is one example of an encryption algorithm which may be used to encrypt such messages.
  • appliance 116 may digitally sign the encrypted packet before sending the packet over network 104 .
  • the FIPS 186-2 digital signature algorithm is one example of a digital signature algorithm which may be used to digitally sign such messages.
  • Those skilled in the art will appreciate that other compression, encryption and signature algorithms may be used.
  • packets that have been compressed, encrypted and digitally signed may be transmitted to data centers via encrypted transport over a public network, such as the Internet, and processed.
  • appliance 116 can communicate with data center 100 to send packets of log messages from network 102 to data center 100 using network 104 . Communications between appliance 116 and data center 100 can be accomplished using electronic, optical, radio-frequency, or other signals. For example, when a user accesses appliance 116 , appliance 116 may convert the signals to a human understandable form when sending a communication to the user and may convert input from a human to appropriate electronic, optical, radio-frequency, or other signals to be used by data center 100 .
  • data center devices 120 , 122 , and 124 may convert the signals to a human understandable form when sending a communication to the operator and may convert input from a human to appropriate electronic, optical, radio-frequency, or other signals to be used by appliance 116 .
  • the transmission of packets may be controlled via the appliance in order to limit the amount of network bandwidth utilized, which allows the customer to manage the impact on their network.
  • Embodiments disclosed herein may satisfy regulatory compliance processing without the storage volume normally associated with archiving log messages. For example, if log messages are retained in response to a statutory requirement, a digital signature may be used to verify that the compressed and encrypted log messages archived in a remote infrastructure are the same as the original log messages. As a result, a user may satisfy the statutory requirement using a fraction of the storage volume.
  • FIG. 4 depicts a block diagram of one embodiment of a system for archiving log messages.
  • Appliance 116 on network 102 may communicate with computing devices 110 , servers 114 , switches 112 and routers 118 , each of which may forward log messages to appliance 116 .
  • Appliance 116 may filter the log messages and prioritize the log messages received from computing devices 110 , servers 114 , switches 112 , routers 118 and other devices located on network 102 based on user-defined criteria.
  • appliance 116 may store the filtered log messages in transmission priority queues such as queues 117 a , 117 b and 117 c in buffer 132 . Buffer 132 or queues 117 a , 117 b and 117 c may be internal or external to appliance 116 . In some embodiments, filtering may be based on a program, address or facility that generated the log message.
  • Appliance 116 may communicate with first data center 100 A over network 104 to send packets from appliance 116 to first data center 100 A.
  • First data center 100 A may receive packets which have been compressed, encrypted or digitally signed and store the packets in reliable storage 208 A.
  • First data center 100 A may include applications 210 A that are useful for analyzing the log messages in accordance with customer processing desires, requirements, protocols, etc. Applications 210 A may be stored on analysis devices 120 or processing devices 122 (not shown in FIG. 4 ).
  • First data center 100 A may include applications 210 A that may process log message packets to decompress, decrypt, and verify packets and process the data contained in each packet.
  • Examples of processing which may occur at first data center 100 A include, but are not limited to, normalizing log messages, extracting data from log messages, full text indexing of log messages, parsing log messages, structured output, data persistence, correlating log message data, and informing and alerting users of various events and processing results.
  • full text indexing may be performed real time to enable users to access the log messages.
  • a drawback of prior art archiving is that there may be a delay of days or weeks before the log messages are available for searching.
  • Embodiments disclosed herein allow nearly instantaneous search capability. In some cases, such as compliance processing, this enables a company, medical office, or other entity required to perform compliance processing to quickly access the log messages.
  • the log messages may be accessible almost instantly, which may be critical to preventing further events.
  • parsing may be performed nearly real time. In some embodiments, parsing may be available nearly real-time for high-priority log messages, particularly when the user has designated that log messages be sent immediately to another location.
  • structured output processing may be performed on log messages. Structured output may be used to display information about log messages. For example, structured output processing may indicate when certain computing devices are most active, what programs and applications users 106 are accessing, and the like.
  • persistence processing may be performed based on the type of information or regulations pertaining to the data. For example, legislation may require information to be retained for seven years. In this situation, the persistence processing may be more robust than persistence processing that may be based on a three-year requirement.
  • Embodiments disclosed herein allow users to define criteria for archiving and processing, such that each customer may designate the storage requirements they need, etc. In this way, a user that requires less robust storage requirements may not need to pay for a robust storage system, but may easily change the storage requirements if needed.
  • advanced correlation processing may also be performed.
  • appliance 116 may send log messages indicating that the same user 106 has tried to access server 114 from several different computing devices 110 at the same time. Each attempt, when viewed as a stand-alone event, may not be noteworthy.
  • advanced correlation processing may determine that the password for user 106 has been compromised and that multiple users 106 attempting to use the same password should be blocked.
  • advanced correlation processing may be useful for determining when firewall 108 has been breached, when servers 114 are being attacked, or the like.
  • Alerting may refer to sending a communication based on a log message.
  • First data center 100 A may process the log messages in a packet such that information is available for users 106 .
  • Data center 100 A having applications 210 A for processing may provide many advantages. As an example, if an unauthorized user 106 accessed a patient file stored on server 114 , a log message may be generated to indicate that an unauthorized person 106 was accessing the database, a log message may be generated to indicate that user 106 had logged on to a particular computing device 1110 , a log message may be generated to indicate that user 106 had accessed server 114 , etc. Each log message generated from the event may be filtered as a high priority message and sent immediately to data center 100 A. Applications 210 A in data center 100 A may process the log messages to determine the response.
  • data center 100 A may send an alert to user 106 in network 102 notifying the user that they are not authorized to access the database, send an alert to the supervisor of user 106 , send an alert to the computing device 110 upon which unauthorized user 106 is accessing the database, send an alert to server 114 , etc.
  • the alert may inform user 106 to stop accessing the database, a set of instructions for computing device 110 to logoff the unauthorized user, a set of instructions to deny further access to server 114 , etc.
  • First data center 100 A may send a copy of each compressed, encrypted and digitally signed packet to second data center 100 B.
  • second data center 100 B may receive a copy of the packet of log messages that has been packetized, compressed, encrypted or digitally signed and sent to first data center 100 A.
  • Second data center 100 B may include storage 208 B and applications 210 B.
  • Applications 210 B may perform the same or different processing on packets in second data center 100 B that applications 210 A perform on packets received in first data center 100 A.
  • data center 100 B does not perform alert processing.
  • data center 100 B may perform some alert processing but may not send an alert.
  • data center 100 B may assume the functions of data center 100 A in the event data center 100 A is unable to function as the primary data center, such as due to a natural disaster or other outside factor, or due to being taken off-line for maintenance or some other internal factor.
  • data center 100 A may be the primary data center for a first network and the secondary (backup) data center 100 B for a second network
  • data center 100 B may be the primary data center for second network and the secondary (backup) data center for first network.
  • data center 100 B may send an acknowledgement message to data center 100 A.
  • data center 100 A may forward the message or may send a copy of the message to appliance 116 . If first data center 100 A does not receive an acknowledgement within a selected time limit, first data center 100 A may send another copy of the packet.
  • appliance 116 may delete the corresponding packet from memory. If appliance 116 does not receive an acknowledgement within a selected time limit, appliance 116 may send another copy of the packet.
  • FIG. 5 depicts an illustration of a web portal 500 according to one embodiment.
  • web portal 500 may allow users 106 on network 102 to view information associated with log messages sent to data center 100 A.
  • graph 511 or data 512 may be used to display information about the types of log messages received by data center 100 A.
  • graph 513 or data 514 may be used to display information about the busiest IP addresses.
  • graph 515 or data 516 , 517 or 518 may be used to display information about archival disk usage.
  • graph 515 illustrates (and data 518 depicts) that archival disk usage is 28.23 GB.
  • the customer may be billed for only 28.23 GB of storage volume at data center 100 A.
  • the customer may be billed for the increased storage volume.
  • the customer may maintain enough storage on a day-to-day basis. In some cases, this may be more desirable than having a user estimate how much storage volume they will need and purchase an appropriate storage device.
  • the owner may try to estimate the storage volume needed months or years in the future, and may underestimate the amount of storage volume needed or may overestimate the storage volume needed. If too little storage volume is purchased, critical data might be lost, which may have regulatory consequences. If too much storage volume is purchased, the cost may negatively affect the financial status of the company.
  • Data 516 may be used to provide information on the number of log sources generating log messages.
  • Data 517 may be used to provide information on the number of log messages identified for processing.
  • graph 519 may be used to display information about archived messages, such as the quantity stored in a given time period.
  • Graph 519 may be used to show that the number of messages archived in data center 100 A fluctuates during a 24-hour period. For example, graph 519 illustrates that the number of messages sent around hour 17 was higher than any other time period, which may be an indication of more log messages generated during that time period, or may be an indication that more bandwidth was available during that time.
  • Web portal 500 may include other information displayed as Summary 510 , Dashboard 520 , Threats 530 , Vulnerabilities 540 , Logs 550 , Cases 560 , Management 570 , Reports 580 , or some other tool.
  • Web portal 500 may allow users to establish criteria for log message archiving and processing. For example, web portal 500 may allow a user to establish the number of priority queues, the criteria for filtering log messages into the priority queues, the criteria for packetizing the log messages, and any other criteria. Thus, some or all the functionality of log message archiving and processing may be performed using a remote internet infrastructure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An appliance is co-located on a network with computing devices. Log messages generated by the computing devices are collected by the appliance, filtered based on the content and stored in transmission priority queues based on the content. The appliance packetizes the log messages based on the transmission priority queue and the available bandwidth and compresses the packet. The appliance encrypts the packet, digitally signs the encrypted packet and sends the packet to a first data center over a public network. The first data center stores the packet in reliable storage and performs processing on the data. A copy of the packet is sent to a second data center that stores the copy and performs processing on the copied data. The appliance deletes the packet from its buffer after it has received acknowledgement that the second data center has received the packet.

Description

FIELD OF THE INVENTION
This invention relates generally to the field of log message analysis and archiving and processing.
BACKGROUND
Computer systems utilized for business system generate messages which audit user access, service errors, and other critical information about the operation of the systems. These messages are recorded in a log, managed by the computing system and therefore called log messages. Traditionally log messages are recorded to files on the local file system, or in the case of syslog enabled systems, can be redirected and stored on the local file system of separate system. Computing systems based on Microsoft Windows record log messages to the local file system via the Windows Event Log.
Recent industry and government regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), require that log data be collected, regularly reviewed, and securely archived. To meet the requirements of these regulations log message files must be archived for up to seven (7) years. For large organizations or organizations with specialized operations, the volume of log messages generated may require storage volumes approaching petabytes (PB) of data. This has generally resulted in significant capital investment, staffing expense and operational complexity to provide secure and reliable storage for this length of time.
Of particular interest is the complexity and cost involved in maintaining large volumes of digital information, such as log data, over the number of years required by these regulations. Simply storing log data on computer media (e.g. hard disks or tape) is prone to media deterioration and failure resulting in the loss of the data. Computer storage arrays, regardless of media, reliably handle the failure of a fraction of the total number of media devices, but over time on the order of five (5) or more year, all of the media devices in the storage array have passed the manufacturer specified duty cycle and are likely to fail in a way that is not recoverable by the storage array. The effort of maintaining large volumes of digital data reliably over this time frame therefore requires continuous investment in terms of hardware and expertise.
Current solutions to managing log data are available as part of the base operating system of computing systems, or as products offered for deployment on the customer's private network. Overall, these solutions require significant staff expertise or capital investment to deploy and maintain in a way that meets regulatory requirements, which usually must be borne by the customer alone.
SUMMARY
In accordance with some embodiments, a log collection appliance is co-located on a network and connected via the internet to a centralized data center for processing and long-term archiving. The servers, routers, switches and other network elements on the network are configured to direct log message traffic to the co-located appliance, allowing the appliance to buffer, prioritize and transmit a packetized representation of the log messages to the data center. Within this disclosure, the word “aggregate” is used interchangeably with the word “packet”. The data center may analyze the log messages for regulatory compliance or customer-specified policy related incidents and archive the messages and information for long term storage.
In one embodiment, the data transmission is managed such that only the available bandwidth is utilized for transmission of log message packets or log message aggregates, so as not to interfere with the normal operation of the network. The contents of each log message packet or log message aggregate are highly compressed using a lossless compression algorithm to a ratio of at least 10-to-1 to minimize the communications bandwidth utilized for large number of log messages. Each packet or aggregate containing log messages is signed using a cryptography secure digital signature algorithm to insure the integrity of the log messages as they are processed and archived in the data center.
In addition, in one embodiment, access to the processing and archive information is provided via a web application accessible from any computer connected to the internet. Incidents and archived log messages information are presented to the customer.
Embodiments disclosed herein make use of the fact that inexpensive public internet communications bandwidth and advanced cryptography capabilities are ubiquitously available today, and further that the majority of this communications bandwidth goes unused for some significant portion of each day. Embodiments disclosed herein offer an easy way for organizations to solve compliance and security challenges by delivering log management capabilities in an on-demand model. In one embodiment, a Software as a Service (SaaS) architecture enables users to pay for the services used without any additional computing costs. In other words, using embodiments disclosed herein, customers are spared from the capital investment, staff expense and operational complexity involved in managing the enormous volume of data represented by log messages generated from their compliance relevant computing systems. They are able to leverage the reliable, secure and geographically dispersed infrastructure at a fraction of the cost to development, deploy and maintain a log management solution using techniques available on the market today
A hardened distributed data center environment may be utilized to meet the secure long-term archiving dictated by current compliance regulations. For small to mid-sized enterprises, the deployment of such a computing infrastructure would exceed, or at least approach a significant proportion of, their current investment in computing systems which run their primary business operations. All processing, analysis, reporting and archiving are performed using a shared computing infrastructure. Thus, the costs normally placed on each customer to set up a processing and archiving infrastructure may be shared by many customers, and in a secure and reliable fashion.
These, and other, aspects will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. The following description, while indicating various embodiments and numerous specific details thereof, is given by way of illustration and not of limitation. Many substitutions, modifications, additions or rearrangements may be made within the scope of the disclosure, and the disclosure includes all such substitutions, modifications, additions or rearrangements.
BRIEF DESCRIPTION OF THE DRAWINGS
Advantages of the present invention will become apparent to those skilled in the art with the benefit of the following detailed description and upon reference to the accompanying drawings in which:
FIG. 1 depicts an architectural diagram of one embodiment of a system for log message processing using a remote Internet infrastructure;
FIG. 2 depicts an illustration of one embodiment of a storage medium including software code having instructions in accordance with one embodiment;
FIG. 3 depicts a flow chart of one embodiment of a method for remote archiving and processing of log messages;
FIG. 4 depicts a block diagram of one embodiment of a system for log message processing using a remote internet infrastructure; and
FIG. 5 depicts one embodiment of an interface used with a web portal.
 DETAILED DESCRIPTION
The invention and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well known starting materials, processing techniques, components and equipment are omitted so as not to unnecessarily obscure the disclosure in detail. Skilled artisans should understand, however, that the detailed description and the specific examples, while disclosing preferred embodiments, are given by way of illustration only and not by way of limitation. Various substitutions, modifications, additions or rearrangements within the scope of the underlying inventive concept(s) will become apparent to those skilled in the art after reading this disclosure.
As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, product, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
Additionally, any examples or illustrations given herein are not to be regarded in any way as restrictions on, limits to, or express definitions of, any term or terms with which they are utilized. Instead these examples or illustrations are to be regarded as being described with respect to one particular embodiment and as illustrative only. Those of ordinary skill in the art will appreciate that any term or terms with which these examples or illustrations are utilized encompass other embodiments as well as implementations and adaptations thereof which may or may not be given therewith or elsewhere in the specification and all such embodiments are intended to be included within the scope of that term or terms. Language designating such non-limiting examples and illustrations includes, but is not limited to: “for example,” “for instance,” “e.g.,” “in one embodiment,” and the like.
Reference is now made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts (elements).
FIG. 1 illustrates one embodiment of a system for processing log messages. Within the system, components including, but not limited to, data center 100, network 102, network 104, users 106, firewall 108, computing devices 110, switches 112, servers 114, appliance 116, and router 118 can cooperate to process log messages. As noted, the system includes appliance 116 and data center 100, each coupled to network 104. Other appliances (not shown) may also be coupled to network 102 or network 104. Network 102 may be an intranet, a private network, a WAN, a LAN, etc. Network 104 may be a public network such as the Internet. Firewall 108 may control access to router 118 and computing devices 110. Appliance 116 may be located on network 102 behind firewall 108. Appliance 116 may communicate with devices such as firewall 108, servers 114, computing devices 110, routers 118, and switches 112 on network 102 to collect log messages generated by users 106 or any of the devices. Computing devices 110 may include laptop computers, personal computers, personal digital assistants, cellular phones, etc.
Appliance 116 may be a desktop computer, a laptop computer, a workstation, or nearly any other device capable of receiving, processing, filtering, packetizing, compressing, encrypting, or sending log messages over network 104 to data center 100. In some embodiments, appliance 116 may be an application residing at one or more of the devices located on network 102. Thus, appliance 116 may be an application running on server 114, may have a portion running on firewall 108 and another portion running on router 118, etc.
In one embodiment, appliance 116 can include a central processing unit (“CPU”), read-only memory (“ROM”), random access memory (“RAM”), a hard drive (“HD”), and input/output devices. Read only memory, random access memory, and hard drive memory of appliance 116 can include media that can be read by the central processing unit and other processors or machines. Therefore, each of these types of memories may include a computer-readable medium. These memories may be internal or external to appliance 116.
Data center 100 may include analysis devices 120, processing devices 122, and data retention devices 124 for receiving, processing, and archiving log messages. Analysis devices 120, processing devices 122, and data retention devices 124 can also have a CPU, ROM, RAM, and HD, either collectively or individually. Data center 100 may include portal 500 for access by users 106 via network 104 such that log messages or data associated with the analysis of the log messages may be accessed. In some embodiments, web portal 500 may provide an interface for remote access. In some embodiments remote access may include configuring appliance 116, data retention devices 124, analysis devices 120, and/or processing devices 122. Remote access may include configuring criteria for determining what log messages are stored, how many queues are created, the size of the packets, and the like.
FIG. 2 illustrates a combination of software code elements 244, 246 and 248 that may be embodied within computer-readable medium 218 on hard drive 250 in appliance 116. Alternatively, the instructions may be stored as software code elements on a DASD array, magnetic tape, floppy diskette, optical storage device, or other computer-readable medium or storage device. In an illustrative embodiment, the computer-readable instructions may be lines of compiled C++, Java, or other language code.
Various software components may reside on a single appliance 116. For example, in some embodiments, a filtering application, a packetizing application, an encryption application, a digital signing application, a memory cache, and log message processing application may be stored in the same appliance 116. A set of computer-executable instructions in an embodiment may be contained on a data storage device, such as hard drive 250 of appliance 116.
During operation, embodiments disclosed herein include methods for providing log message processing. In some embodiments, processing may include archiving, compliance processing, systems management, or other types of processing. Embodiments may offer log message processing through a Software as a Service (SaaS) delivery platform. Appliance 116 may receive log messages collected using the Syslog, MSRPC, or other protocols. Appliance 116 may filter the messages into transmission priority queues, packetize the messages based on the priority. Appliance 116 may securely transmit the packets to data center 100 for processing in accordance with customer desires, requirements, regulatory compliance, etc.
FIG. 3 depicts a flow diagram for one method for processing log messages. In step 310, log messages may be collected from computing devices on network 102 and stored in conjunction with appliance 116. In some embodiments, access to Microsoft Windows log messages may be provided by remotely accessing the Windows Event Log using the Microsoft Remote Procedure Call (MSRPC). In some embodiments, a customer may configure firewall 108, servers 114, computing devices 110, routers 118 and switches 112 to send log messages to appliance 116. Appliance 116 may store a set of computer-executable instructions operable to receive log messages from computing devices 110, servers 114, switches 112, firewall 108, users 106, routers 118, or other devices located on network 102. Log messages may be sent according to the syslog protocol. RFC 3164 describes aspects of the syslog protocol. Those skilled in the art will appreciate that collection may be possible by changing the syslog pointers to appliance 116. Appliance 116 may store collected log messages in a buffer, discussed below. In some embodiments, collecting log messages may include translating the log messages using Dynamic Link Libraries (DLLs). U.S. patent application Ser. No. 12/141,209, filed Jun. 18, 2008, entitled “Log Message Collection Employing On-Demand Loading of Message Translation Libraries” describes one method for translating log messages and is hereby incorporated by reference in its entirety.
In step 320, appliance 116 may utilize a set of message content rules to filter the log messages into priority queues or discard messages not designated for retention. In some embodiments, three priority queues may be used, although any number of priority queues may be established by a user. The priority queues may be based on users 106, servers 114, computing devices 110, firewall 108, switches 112 or router 116. For example, a log message generated from a particular server 114 may have a higher priority than another server 114. A log message generated by a selected user 106 may be designated a higher priority than a log message generated by another user 106. A log message generated from outside firewall 108 may have a higher priority rating than a log message generated from inside firewall 108. The priority queues may be prioritized as high, medium or low. The priority queues may have a numerical prioritization such as 1-5. Those skilled in the art will appreciate that other prioritization formats may be utilized. The filtered and prioritized log messages may be stored in queues in appliance 116.
In step 330, appliance 116 may packetize the messages from one or more priority queues. Packetization may be based on the bandwidth of the network 104 available for communicating with data center 100 or the packetization algorithm. The bandwidth policy and packetization algorithm may independently affect the size of the packets, or may interact to affect the size of the packets.
A bandwidth transmission policy may be a set of limits specifying the bandwidth limit appliance 116 is permitted to utilize. The bandwidth limit may be specified as a number of bytes per second or some other criterion. In some embodiments, the set of limits may be composed of non-overlapping time frames, with each time frame having an associated bandwidth limit. In some embodiments, a default bandwidth may be in effect when no bandwidth limit has been specified. Thus, if the available bandwidth is high, the packet size may be larger to accommodate more log messages or more packets may be sent. By packetizing the messages based on the available bandwidth, interference with day-to-day operations of the network or devices on the network may be reduced. In an example, Table 1 depicts a sample bandwidth transmission policy. In Table 1, a first (default) bandwidth limit is set at 1500 Kbps, a second bandwidth limit is set at 200 Kbps between 0600-1800 hours, and a third bandwidth limit is set at 700 Kbps between 1800-2100 hours.
TABLE 1
Default Rate 1500 Kbps
0600-1800 hours  200 Kbps
1800-2100 hours  700 Kbps
With the effective bandwidth transmission limit in effect, appliance 116 may follow a packetization algorithm to generate packets of log messages for transport. As log messages arrive at appliance 116, they can be sorted into transmission priority queues based on a prioritization policy, such as in step 320. Appliance 116 may utilize a packetization algorithm to select log messages from the various queues based on the priority of the log message, and fill packets to the configured size limit.
Table 2 depicts one embodiment of a packetization algorithm that may be used by appliance 116 to packetize log messages.
TABLE 2
1. Select log messages from 1.1 Size limit of packet is reached;
the highest priority queue 1.2 The queue is exhausted; or
available until: 1.3 The next log message is outside
of the packet time interval.
2. Select log messages from 2.1 The size limit of the packet is
the next lower queue available reached;
for the current interval, 2.2 The queue is exhausted; or
until: 2.3 The next log message is outside
the packet time interval.
3. Repeat the second step until: 3.1 The size limit of the packet is
reached; or
3.2 All queues have been processed.
In one embodiment, when appliance 116 selects the highest priority queue, a queue may be skipped if the queue was exhausted, or may be skipped on each subsequent execution until the lowest priority queue is exhausted on the last execution of the algorithm, the queue is skipped for a priority-specific time period or the contents of the queue would fill more than half the contents of the size limits of packets.
Embodiments may also allow a user to designate rules for packetizing. For example, a user may establish criteria such that all high priority log messages are packetized and sent from appliance 116 to data center 100 immediately, regardless of bandwidth. A user may establish criteria such that medium priority log messages are sent only during selected hours, or when the bandwidth is at a selected level. A user may establish criteria such that low priority log messages are sent only during selected hours, only when the bandwidth is at its highest level, or some other criteria. Thus, a user is able to designate criteria that enable embodiments to optimize the transmission of information to ensure higher priority messages are received timely, but without decreasing transmission rates (or increasing bandwidth costs) due to the transmission of lower priority messages. It will be apparent that a wide variety of criteria may be utilized by a user to designate these types of rules.
In step 340, appliance 116 may compress the packets. The compression of the log message data may be performed using the bzip2 algorithm [BZIP2]. In step 350, appliance 116 may encrypt each packet before sending the packet over network 104. The SHA-256 algorithm is one example of an encryption algorithm which may be used to encrypt such messages. In step 360, appliance 116 may digitally sign the encrypted packet before sending the packet over network 104. The FIPS 186-2 digital signature algorithm is one example of a digital signature algorithm which may be used to digitally sign such messages. Those skilled in the art will appreciate that other compression, encryption and signature algorithms may be used.
Once constructed, in step 370 packets that have been compressed, encrypted and digitally signed may be transmitted to data centers via encrypted transport over a public network, such as the Internet, and processed. In some embodiments, appliance 116 can communicate with data center 100 to send packets of log messages from network 102 to data center 100 using network 104. Communications between appliance 116 and data center 100 can be accomplished using electronic, optical, radio-frequency, or other signals. For example, when a user accesses appliance 116, appliance 116 may convert the signals to a human understandable form when sending a communication to the user and may convert input from a human to appropriate electronic, optical, radio-frequency, or other signals to be used by data center 100. Similarly, when an operator accesses data center 100, data center devices 120, 122, and 124 may convert the signals to a human understandable form when sending a communication to the operator and may convert input from a human to appropriate electronic, optical, radio-frequency, or other signals to be used by appliance 116.
The transmission of packets may be controlled via the appliance in order to limit the amount of network bandwidth utilized, which allows the customer to manage the impact on their network.
Embodiments disclosed herein may satisfy regulatory compliance processing without the storage volume normally associated with archiving log messages. For example, if log messages are retained in response to a statutory requirement, a digital signature may be used to verify that the compressed and encrypted log messages archived in a remote infrastructure are the same as the original log messages. As a result, a user may satisfy the statutory requirement using a fraction of the storage volume.
FIG. 4 depicts a block diagram of one embodiment of a system for archiving log messages. Appliance 116 on network 102 may communicate with computing devices 110, servers 114, switches 112 and routers 118, each of which may forward log messages to appliance 116. Appliance 116 may filter the log messages and prioritize the log messages received from computing devices 110, servers 114, switches 112, routers 118 and other devices located on network 102 based on user-defined criteria. Examples include, but are not limited to, the type of computing device, the identification (username or password) of a person 106 accessing or attempting to access network 102, the time of day, the program or application the user is using or attempting to use, the length of time the program is being used, and what information is being requested. In some embodiments, appliance 116 may store the filtered log messages in transmission priority queues such as queues 117 a, 117 b and 117 c in buffer 132. Buffer 132 or queues 117 a, 117 b and 117 c may be internal or external to appliance 116. In some embodiments, filtering may be based on a program, address or facility that generated the log message.
Appliance 116 may communicate with first data center 100A over network 104 to send packets from appliance 116 to first data center 100A. First data center 100A may receive packets which have been compressed, encrypted or digitally signed and store the packets in reliable storage 208A. First data center 100A may include applications 210A that are useful for analyzing the log messages in accordance with customer processing desires, requirements, protocols, etc. Applications 210A may be stored on analysis devices 120 or processing devices 122 (not shown in FIG. 4). First data center 100A may include applications 210A that may process log message packets to decompress, decrypt, and verify packets and process the data contained in each packet. Examples of processing which may occur at first data center 100A include, but are not limited to, normalizing log messages, extracting data from log messages, full text indexing of log messages, parsing log messages, structured output, data persistence, correlating log message data, and informing and alerting users of various events and processing results.
In some embodiments, full text indexing may be performed real time to enable users to access the log messages. A drawback of prior art archiving is that there may be a delay of days or weeks before the log messages are available for searching. Embodiments disclosed herein allow nearly instantaneous search capability. In some cases, such as compliance processing, this enables a company, medical office, or other entity required to perform compliance processing to quickly access the log messages. Advantageously, if there has been a breach of security, an unauthorized access, or some other event covered by HIPAA, GLB, SOX, or some other regulation, the log messages may be accessible almost instantly, which may be critical to preventing further events.
In some embodiments, parsing may be performed nearly real time. In some embodiments, parsing may be available nearly real-time for high-priority log messages, particularly when the user has designated that log messages be sent immediately to another location.
In some embodiments, structured output processing may be performed on log messages. Structured output may be used to display information about log messages. For example, structured output processing may indicate when certain computing devices are most active, what programs and applications users 106 are accessing, and the like.
In some embodiments, persistence processing may be performed based on the type of information or regulations pertaining to the data. For example, legislation may require information to be retained for seven years. In this situation, the persistence processing may be more robust than persistence processing that may be based on a three-year requirement. Embodiments disclosed herein allow users to define criteria for archiving and processing, such that each customer may designate the storage requirements they need, etc. In this way, a user that requires less robust storage requirements may not need to pay for a robust storage system, but may easily change the storage requirements if needed.
In some embodiments, advanced correlation processing may also be performed. For example, appliance 116 may send log messages indicating that the same user 106 has tried to access server 114 from several different computing devices 110 at the same time. Each attempt, when viewed as a stand-alone event, may not be noteworthy. However, advanced correlation processing may determine that the password for user 106 has been compromised and that multiple users 106 attempting to use the same password should be blocked. In some embodiments, advanced correlation processing may be useful for determining when firewall 108 has been breached, when servers 114 are being attacked, or the like.
Alerting may refer to sending a communication based on a log message. First data center 100A may process the log messages in a packet such that information is available for users 106.
Data center 100 A having applications 210A for processing may provide many advantages. As an example, if an unauthorized user 106 accessed a patient file stored on server 114, a log message may be generated to indicate that an unauthorized person 106 was accessing the database, a log message may be generated to indicate that user 106 had logged on to a particular computing device 1110, a log message may be generated to indicate that user 106 had accessed server 114, etc. Each log message generated from the event may be filtered as a high priority message and sent immediately to data center 100A. Applications 210A in data center 100A may process the log messages to determine the response. In some embodiments, data center 100A may send an alert to user 106 in network 102 notifying the user that they are not authorized to access the database, send an alert to the supervisor of user 106, send an alert to the computing device 110 upon which unauthorized user 106 is accessing the database, send an alert to server 114, etc. The alert may inform user 106 to stop accessing the database, a set of instructions for computing device 110 to logoff the unauthorized user, a set of instructions to deny further access to server 114, etc.
First data center 100A may send a copy of each compressed, encrypted and digitally signed packet to second data center 100B. Thus, second data center 100B may receive a copy of the packet of log messages that has been packetized, compressed, encrypted or digitally signed and sent to first data center 100A. Second data center 100B may include storage 208B and applications 210B. Applications 210B may perform the same or different processing on packets in second data center 100B that applications 210A perform on packets received in first data center 100A. For example, in some embodiments, data center 100B does not perform alert processing. In some embodiments, data center 100B may perform some alert processing but may not send an alert. In some embodiments, by having redundant or similar functionality, data center 100B may assume the functions of data center 100A in the event data center 100A is unable to function as the primary data center, such as due to a natural disaster or other outside factor, or due to being taken off-line for maintenance or some other internal factor. In some embodiments, data center 100A may be the primary data center for a first network and the secondary (backup) data center 100B for a second network, and data center 100B may be the primary data center for second network and the secondary (backup) data center for first network.
After data center 100B has received a copy of the packet sent from data center 100A, data center 100B may send an acknowledgement message to data center 100A. Upon receipt of the acknowledgment message, data center 100A may forward the message or may send a copy of the message to appliance 116. If first data center 100A does not receive an acknowledgement within a selected time limit, first data center 100A may send another copy of the packet. Upon receipt of an acknowledgement message from data center 100A, appliance 116 may delete the corresponding packet from memory. If appliance 116 does not receive an acknowledgement within a selected time limit, appliance 116 may send another copy of the packet. An advantage is that the storage volume needed for storage of information on network 102 may be minimized based on criteria set up by the customer, and may ensure the log messages are securely stored at a remote internet infrastructure before deleting the log messages off network 102.
FIG. 5 depicts an illustration of a web portal 500 according to one embodiment. As depicted in FIG. 5, web portal 500 may allow users 106 on network 102 to view information associated with log messages sent to data center 100A. In some embodiments, graph 511 or data 512 may be used to display information about the types of log messages received by data center 100A. In some embodiments, graph 513 or data 514 may be used to display information about the busiest IP addresses. In some embodiments, graph 515 or data 516, 517 or 518 may be used to display information about archival disk usage. An advantage to embodiments disclosed herein is that the operator of network 102 does not need the capital investment required by prior art approaches. For example, graph 515 illustrates (and data 518 depicts) that archival disk usage is 28.23 GB. Thus, the customer may be billed for only 28.23 GB of storage volume at data center 100A. As the customer's storage need grows, the customer may be billed for the increased storage volume. In this way, the customer may maintain enough storage on a day-to-day basis. In some cases, this may be more desirable than having a user estimate how much storage volume they will need and purchase an appropriate storage device. In the case of a new business, the owner may try to estimate the storage volume needed months or years in the future, and may underestimate the amount of storage volume needed or may overestimate the storage volume needed. If too little storage volume is purchased, critical data might be lost, which may have regulatory consequences. If too much storage volume is purchased, the cost may negatively affect the financial status of the company. Data 516 may be used to provide information on the number of log sources generating log messages. Data 517 may be used to provide information on the number of log messages identified for processing.
In some embodiments, graph 519 may be used to display information about archived messages, such as the quantity stored in a given time period. Graph 519 may be used to show that the number of messages archived in data center 100A fluctuates during a 24-hour period. For example, graph 519 illustrates that the number of messages sent around hour 17 was higher than any other time period, which may be an indication of more log messages generated during that time period, or may be an indication that more bandwidth was available during that time.
Web portal 500 may include other information displayed as Summary 510, Dashboard 520, Threats 530, Vulnerabilities 540, Logs 550, Cases 560, Management 570, Reports 580, or some other tool. Web portal 500 may allow users to establish criteria for log message archiving and processing. For example, web portal 500 may allow a user to establish the number of priority queues, the criteria for filtering log messages into the priority queues, the criteria for packetizing the log messages, and any other criteria. Thus, some or all the functionality of log message archiving and processing may be performed using a remote internet infrastructure.
In the foregoing specification, the disclosure has been described with reference to specific embodiments. However, one of ordinary skill in the art will appreciate that various modifications and changes can be made without departing from the spirit and scope of the invention disclosed herein. Accordingly, the specification and figures disclosed herein are to be regarded in an illustrative rather than a restrictive sense, and all such modifications are intended to be included within the scope of the disclosure.

Claims (20)

The invention claimed is:
1. A method comprising:
receiving a plurality of log messages from a plurality of computing devices on a computer network;
filtering the plurality of log messages based on one or more sets of message content rules so as to aggregate one or more of the plurality of log messages based on priority, wherein each of the plurality of log messages is discarded or retained in one of a plurality of priority queues, wherein the plurality of priority queues comprise at least three queues;
generating at least one aggregate prior to sending the at least one aggregate over a network connection, wherein each of the at least one aggregate contains a set of retained log messages from one or more of the plurality of priority queues, wherein the generating step further comprises:
selecting, in order of priority, one or more of log messages stored in a first of the plurality of priority queues until a packet size limit is reached, the first priority queue is exhausted, or a next log message is outside of a packet time interval;
compressing the at least one aggregate;
encrypting the at least one aggregate;
digitally signing the at least one aggregate; and
sending the at least one aggregate over the network connection to a data center.
2. The method of claim 1, wherein the plurality of priority queues comprises at least a high priority queue, a medium priority queue, and a low priority queue.
3. The method of claim 1, wherein the compressing step is performed using the bzip.2 algorithm.
4. The method of claim 1, wherein the encrypting step is performed using the SHA-256 algorithm.
5. The method of claim 1, wherein the digitally signing step is performed using the FIPS 186-2 algorithm.
6. The method of claim 1, wherein the generating step further comprises:
a) selecting one or more log messages stored in a second of the plurality of priority queues until the packet size limit is reached, the second priority queue is exhausted, or the next log message is outside of the packet time interval; and
b) repeating the a) step until the packet size limit is reached or all of the plurality of priority queues have been processed.
7. The method of claim 1, further comprising:
determining an available bandwidth, wherein the generating step is performed based in part on the available bandwidth; and
sending the at least one aggregate within limits of the available bandwidth.
8. The method of claim 7, wherein the available bandwidth changes with respect to time.
9. The method of claim 7, wherein the limits comprise non-overlapping time frames, with each of the non-overlapping time frames having an associated bandwidth limit for transmission.
10. An appliance, comprising:
a memory;
a processor; and
a set of computer-executable instructions stored in the memory, wherein the processor is operable to execute the instructions to:
receive a log message;
discard or retain the log message in one of a plurality of queues in the memory based on one or more sets of message content rules so as to facilitate aggregation of one or more of the plurality of log messages based on priority, wherein the plurality of queues comprise at least three queues;
generate at least one aggregate prior to sending the at least one aggregate over a network connection, wherein each of the at least one aggregate contains a set of retained log messages from one or more of the plurality of queues, wherein in generating the at least one aggregate the instructions are further executable to select, based at least in part on priority, one or more log messages from a first of the plurality of priority queues until a packet size limit is reached, the first priority queue is exhausted, or a next log message is outside of a packet time interval;
compress the at least one aggregate;
encrypt the at least one aggregate;
digitally sign the at least one aggregate; and
send the at least one aggregate over the network connection to a data center.
11. A method comprising:
at a network device, filtering a plurality of log messages based on one or more sets of message content rules so as to aggregate one or more of the plurality of log messages based on priority, wherein each of the plurality of log messages is discarded or retained in one of a plurality of priority queues, wherein the plurality of priority queues comprise at least three queues;
generating at least one aggregate prior to sending the at least one aggregate over a network connection, wherein each of the at least one aggregate contains a set of retained log messages, wherein the generating step further comprises:
a) selecting, in order of priority, one or more of log messages stored in a first of the plurality of priority queues until a packet size limit is reached, the first priority queue is exhausted, or a next log message is outside of a packet time interval;
b) selecting one or more log messages stored in a second of the plurality of priority queues until the packet size limit is reached, the second priority queue is exhausted, or the next log message is outside of the packet time interval; and
c) repeating the b) step until the packet size limit is reached or all of the plurality of priority queues have been processed;
compressing the at least one aggregate;
encrypting the at least one aggregate;
digitally signing the at least one aggregate; and
sending the at least one aggregate over the network connection to a data center.
12. A system comprising:
an appliance comprising:
a memory;
a processor; and
a set of computer-executable instructions stored in the memory, wherein the processor is operable to execute the instructions to:
receive a log message;
discard or retain the log message in one of a plurality of queues in the memory based on one or more sets of message content rules so as to facilitate aggregation of one or more of the plurality of log messages based on priority, wherein the plurality of queues comprise at least three queues;
generate at least one aggregate prior to sending the at least one aggregate over a network connection, wherein each of the at least one aggregate contains a set of retained log messages from one or more of the plurality of queues, wherein in generating the at least one aggregate the instructions are further executable to select, based at least in part on priority, one or more log messages from a first of the plurality of priority queues until a packet size limit is reached, the first priority queue is exhausted, or a next log message is outside of a packet time interval;
compress the at least one aggregate;
encrypt the at least one aggregate;
digitally sign the at least one aggregate; and
send the at least one aggregate over the network connection;
a first data center comprising:
a memory for storing the at least one aggregate received from the appliance;
one or more applications for processing the at least one aggregate and the retained log messages contained in the at least one aggregate; and
a web portal for displaying one or more of the retained log messages; and
a second data center comprising:
a memory for storing a copy of the at least one aggregate received from the first data center;
one or more applications for processing the retained log messages contained in the copy of the at least one aggregate received from the first data center.
13. The system of claim 12, wherein the one or more applications in the first data center and in the second data center are operable to perform one or more of full text indexing, parsing, persistence processing, structured output processing, advanced correlation processing, and alerting.
14. The system of claim 12, wherein the appliance is operable to:
determine an available bandwidth for transmission; and
generate the at least one aggregate containing the log messages based in part on the available bandwidth.
15. The system of claim 14, wherein the appliance is operable to:
a) select one or more of the log messages stored in a second of the plurality of priority queues until the packet size limit is reached, the second priority queue is exhausted, or the next log message is outside of the packet time interval; and
b) repeat a) until the packet size limit is reached or all of the plurality of priority queues have been processed.
16. The system of claim 12, wherein graphical information associated with the log messages received by the first data center or the second data center is accessible via the web portal.
17. The system of claim 16, wherein criteria for filtering a log message is established via the web portal.
18. A method comprising:
receiving a log message into an appliance on a network;
discard or retain the log message in one of a plurality of priority queues in a memory based on one or more sets of message content rules so as to facilitate aggregation of one or more of the plurality of log messages based on priority, wherein the plurality of priority queues comprise at least three queues;
generating at least one aggregate prior to sending the at least one aggregate over a network connection, wherein each of the at least one aggregate contains a set of retained log messages from one or more of the plurality of priority queues, wherein the generating step further comprises:
selecting, based at least in part on a priority associated with the retained log messages, one or more of log messages stored in a first of the plurality of priority queues until a packet size limit is reached, the first priority queue is exhausted, or a next log message is outside of a packet time interval;
compressing the at least one aggregate;
encrypting the at least one aggregate;
digitally signing the at least one aggregate;
sending the at least one aggregate over the network connection to a first data center;
storing, by the first data center, the at least one aggregate received from the appliance;
processing the at least one aggregate and one or more log messages contained in the at least one aggregate using one or more applications in the first data center;
sending a copy of the at least one aggregate received by the first data center to a second data center;
receiving the copy of the at least one aggregate sent from the first data center;
storing the copy of the at least one aggregate received from the appliance in reliable storage in the second data center;
processing one or more log messages contained in the at least one aggregate using one or more applications in the second data center;
sending a first message from the second data center to the first data center acknowledging receipt of the copy of the at least one aggregate;
receiving the message, by the first data center;
sending a second message from the first data center to the appliance acknowledging receipt of the at least one aggregate; and
deleting the at least one aggregate stored in the appliance memory in response to receiving the second message from the first data center.
19. The system of claim 18, wherein the appliance is configured to perform:
a) selecting one or more of the log messages stored in a second of the plurality of priority queues until the packet size limit is reached, the second priority queue is exhausted, or the next log message is outside of the packet time interval; and
b) repeating a) until the packet size limit is reached or all of the plurality of priority queues have been processed.
20. The system of claim 18, wherein the second data center is operable to assume the role of the first data center.
US12/141,202 2008-06-18 2008-06-18 Log message archiving and processing using a remote internet infrastructure Active 2029-09-22 US8407335B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/141,202 US8407335B1 (en) 2008-06-18 2008-06-18 Log message archiving and processing using a remote internet infrastructure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/141,202 US8407335B1 (en) 2008-06-18 2008-06-18 Log message archiving and processing using a remote internet infrastructure

Publications (1)

Publication Number Publication Date
US8407335B1 true US8407335B1 (en) 2013-03-26

Family

ID=47892426

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/141,202 Active 2029-09-22 US8407335B1 (en) 2008-06-18 2008-06-18 Log message archiving and processing using a remote internet infrastructure

Country Status (1)

Country Link
US (1) US8407335B1 (en)

Cited By (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130191497A1 (en) * 2012-01-25 2013-07-25 International Business Machines Corporation Storage and Transmission of Log Data In a Networked System
US20140259170A1 (en) * 2012-08-23 2014-09-11 Foreground Security Internet Security Cyber Threat Reporting System and Method
US20150019512A1 (en) * 2013-07-15 2015-01-15 Netapp, Inc. Systems and methods for filtering low utility value messages from system logs
CN104468222A (en) * 2014-12-15 2015-03-25 北京奇虎科技有限公司 Method, device and system for reporting log information
US20150116777A1 (en) * 2013-10-31 2015-04-30 Kyocera Document Solutions Inc. Electronic Device That Automatically Registers Alternative User Operation
US9065804B2 (en) 2011-08-09 2015-06-23 CloudPassage, Inc. Systems and methods for implementing security in a cloud computing environment
US9124640B2 (en) 2011-08-09 2015-09-01 CloudPassage, Inc. Systems and methods for implementing computer security
US20150264048A1 (en) * 2014-03-14 2015-09-17 Sony Corporation Information processing apparatus, information processing method, and recording medium
US20150379008A1 (en) * 2014-06-25 2015-12-31 International Business Machines Corporation Maximizing the information content of system logs
US9258321B2 (en) 2012-08-23 2016-02-09 Raytheon Foreground Security, Inc. Automated internet threat detection and mitigation system and associated methods
US20160117196A1 (en) * 2013-07-31 2016-04-28 Hewlett-Packard Development Company, L.P. Log analysis
US20160323216A1 (en) * 2015-05-01 2016-11-03 Cirius Messaging Inc. Split-architecture message processing system
US20170201495A1 (en) * 2016-01-08 2017-07-13 Moneygram International, Inc. Systems and method for providing a data security service
CN107918621A (en) * 2016-10-10 2018-04-17 阿里巴巴集团控股有限公司 Daily record data processing method, device and operation system
US9973600B2 (en) 2016-05-04 2018-05-15 Secureworks Corp. System and methods for scalable packet inspection in cloud computing
US10110589B2 (en) 2016-07-07 2018-10-23 Secureworks Corp. Systems and methods for task access behavior based site security
CN109308247A (en) * 2017-07-27 2019-02-05 东软集团股份有限公司 A kind of log processing method, device, equipment and a kind of network equipment
US20190146863A1 (en) * 2017-11-14 2019-05-16 Sap Se Message Handling Related to Non-Parallelizable Functionality
US10341458B2 (en) * 2014-06-30 2019-07-02 EMC IP Holding Company LLC Predicting a sub-set of resources to be migrated to a new location based on a mobile device's interactions with resources at a first location and a predicted period of time the mobile device is to be in the new location
US10594713B2 (en) 2017-11-10 2020-03-17 Secureworks Corp. Systems and methods for secure propagation of statistical models within threat intelligence communities
US10735470B2 (en) 2017-11-06 2020-08-04 Secureworks Corp. Systems and methods for sharing, distributing, or accessing security data and/or security applications, models, or analytics
US10785238B2 (en) 2018-06-12 2020-09-22 Secureworks Corp. Systems and methods for threat discovery across distinct organizations
US10841337B2 (en) 2016-11-28 2020-11-17 Secureworks Corp. Computer implemented system and method, and computer program product for reversibly remediating a security risk
US11003718B2 (en) 2018-06-12 2021-05-11 Secureworks Corp. Systems and methods for enabling a global aggregated search, while allowing configurable client anonymity
CN112882808A (en) * 2021-02-08 2021-06-01 上海弘积信息科技有限公司 Method for collecting and sending big data audit log of application delivery equipment
CN113472808A (en) * 2021-07-16 2021-10-01 浙江大华技术股份有限公司 Log processing method and device, storage medium and electronic device
US11310268B2 (en) 2019-05-06 2022-04-19 Secureworks Corp. Systems and methods using computer vision and machine learning for detection of malicious actions
US11381589B2 (en) 2019-10-11 2022-07-05 Secureworks Corp. Systems and methods for distributed extended common vulnerabilities and exposures data management
US11418524B2 (en) 2019-05-07 2022-08-16 SecureworksCorp. Systems and methods of hierarchical behavior activity modeling and detection for systems-level security
US11522877B2 (en) 2019-12-16 2022-12-06 Secureworks Corp. Systems and methods for identifying malicious actors or activities
US11528294B2 (en) 2021-02-18 2022-12-13 SecureworksCorp. Systems and methods for automated threat detection
US11588834B2 (en) 2020-09-03 2023-02-21 Secureworks Corp. Systems and methods for identifying attack patterns or suspicious activity in client networks
US20230156080A1 (en) * 2021-11-18 2023-05-18 International Business Machines Corporation Prioritizing data replication packets in cloud environment
US11855837B2 (en) * 2020-06-30 2023-12-26 Hewlett Packard Enterprise Development Lp Adaptive time window-based log message deduplication
US12015623B2 (en) 2022-06-24 2024-06-18 Secureworks Corp. Systems and methods for consensus driven threat intelligence
US12034751B2 (en) 2021-10-01 2024-07-09 Secureworks Corp. Systems and methods for detecting malicious hands-on-keyboard activity via machine learning

Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030009571A1 (en) * 2001-06-28 2003-01-09 Bavadekar Shailesh S. System and method for providing tunnel connections between entities in a messaging system
US6522667B1 (en) * 1998-05-14 2003-02-18 Kdd Corporation Network interworking device for IP network / ATM network
US20030037235A1 (en) * 1998-08-19 2003-02-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US20030065727A1 (en) * 2001-09-28 2003-04-03 Capital One Financial Corporation Systems and methods for providing secured electronic messaging
US20030120795A1 (en) * 2001-12-20 2003-06-26 Marnetics Ltd. Method for capacity enhancement of packet switched networks
US6618378B1 (en) * 1999-07-21 2003-09-09 Alcatel Canada Inc. Method and apparatus for supporting multiple class of service connections in a communications network
US6907001B1 (en) * 1998-11-12 2005-06-14 Hitachi, Ltd. Packet switch for switching variable length packets in the form of ATM cells
US20050216774A1 (en) * 2000-08-18 2005-09-29 Smart Media Limited Apparatus, system and method for enhancing data security
US20060277592A1 (en) * 2005-06-01 2006-12-07 Research In Motion Limited System and method for determining a security encoding to be applied to outgoing messages
US20060294045A1 (en) * 2005-06-23 2006-12-28 Darrell Suggs Control of service workload management
US20070028001A1 (en) * 2005-06-21 2007-02-01 Steve Phillips Applying quality of service to application messages in network elements
US20070115922A1 (en) * 2005-10-19 2007-05-24 Marco Schneider Methods, apparatus and data structures for managing distributed communication systems
US20070157302A1 (en) * 2006-01-03 2007-07-05 Ottamalika Iqlas M Methods and systems for correlating event rules with corresponding event log entries
US20070209015A1 (en) * 2006-03-01 2007-09-06 Ritter Gerd M Value selection for electronic document
US20070283194A1 (en) * 2005-11-12 2007-12-06 Phillip Villella Log collection, structuring and processing
US20080016569A1 (en) * 2000-10-10 2008-01-17 Internet Security Systems, Inc. Method and System for Creating a Record for One or More Computer Security Incidents
US20080101354A1 (en) * 2006-10-31 2008-05-01 Arndt Manfred R Packet processing
US20080109889A1 (en) * 2003-07-01 2008-05-08 Andrew Bartels Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
US20080263564A1 (en) * 2007-04-23 2008-10-23 Bea Systems, Inc. System and method for message service with unit-of-order
US20090089584A1 (en) * 2007-09-28 2009-04-02 Research In Motion Limited Systems, devices, and methods for outputting alerts to indicate the use of a weak hash function
US7599939B2 (en) 2003-11-26 2009-10-06 Loglogic, Inc. System and method for storing raw log data
US20090276771A1 (en) * 2005-09-15 2009-11-05 3Tera, Inc. Globally Distributed Utility Computing Cloud

Patent Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6522667B1 (en) * 1998-05-14 2003-02-18 Kdd Corporation Network interworking device for IP network / ATM network
US20030037235A1 (en) * 1998-08-19 2003-02-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US6907001B1 (en) * 1998-11-12 2005-06-14 Hitachi, Ltd. Packet switch for switching variable length packets in the form of ATM cells
US6618378B1 (en) * 1999-07-21 2003-09-09 Alcatel Canada Inc. Method and apparatus for supporting multiple class of service connections in a communications network
US20050216774A1 (en) * 2000-08-18 2005-09-29 Smart Media Limited Apparatus, system and method for enhancing data security
US20080016569A1 (en) * 2000-10-10 2008-01-17 Internet Security Systems, Inc. Method and System for Creating a Record for One or More Computer Security Incidents
US20030009571A1 (en) * 2001-06-28 2003-01-09 Bavadekar Shailesh S. System and method for providing tunnel connections between entities in a messaging system
US20030065727A1 (en) * 2001-09-28 2003-04-03 Capital One Financial Corporation Systems and methods for providing secured electronic messaging
US20030120795A1 (en) * 2001-12-20 2003-06-26 Marnetics Ltd. Method for capacity enhancement of packet switched networks
US20080109889A1 (en) * 2003-07-01 2008-05-08 Andrew Bartels Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications
US7599939B2 (en) 2003-11-26 2009-10-06 Loglogic, Inc. System and method for storing raw log data
US20060277592A1 (en) * 2005-06-01 2006-12-07 Research In Motion Limited System and method for determining a security encoding to be applied to outgoing messages
US20070028001A1 (en) * 2005-06-21 2007-02-01 Steve Phillips Applying quality of service to application messages in network elements
US20060294045A1 (en) * 2005-06-23 2006-12-28 Darrell Suggs Control of service workload management
US20090276771A1 (en) * 2005-09-15 2009-11-05 3Tera, Inc. Globally Distributed Utility Computing Cloud
US20070115922A1 (en) * 2005-10-19 2007-05-24 Marco Schneider Methods, apparatus and data structures for managing distributed communication systems
US20070283194A1 (en) * 2005-11-12 2007-12-06 Phillip Villella Log collection, structuring and processing
US20070157302A1 (en) * 2006-01-03 2007-07-05 Ottamalika Iqlas M Methods and systems for correlating event rules with corresponding event log entries
US20070209015A1 (en) * 2006-03-01 2007-09-06 Ritter Gerd M Value selection for electronic document
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
US20080101354A1 (en) * 2006-10-31 2008-05-01 Arndt Manfred R Packet processing
US20080263564A1 (en) * 2007-04-23 2008-10-23 Bea Systems, Inc. System and method for message service with unit-of-order
US20090089584A1 (en) * 2007-09-28 2009-04-02 Research In Motion Limited Systems, devices, and methods for outputting alerts to indicate the use of a weak hash function

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
George, R., "LogLogic Announces U.S. Patent for Storage of Raw Log Data," LogLogic News Releases, Dec. 2, 2009, at http://www.loglogic.com/news/news-releases/2009/december/loglogic-announces-Us-patent . . . printed on Jul. 19, 2010, 1 pg.
Seward Julian "Bzip2 compression algorithm", 1-2, Wikipedia, version 1.00, 2000. *
US Dept of Commerce/NIST "Federal Information Processing Standard Publication-FIPS 186-2," Jan. 27, 2000, p. 1-72. *
Wikipedia "Bzip2", Wikipedia.org, Mar. 17, 2008, p. 1-5. *

Cited By (61)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10601807B2 (en) 2011-08-09 2020-03-24 CloudPassage, Inc. Systems and methods for providing container security
US10027650B2 (en) 2011-08-09 2018-07-17 CloudPassage, Inc. Systems and methods for implementing security
US10454916B2 (en) 2011-08-09 2019-10-22 CloudPassage, Inc. Systems and methods for implementing security
US9369493B2 (en) 2011-08-09 2016-06-14 CloudPassage, Inc. Systems and methods for implementing security
US9065804B2 (en) 2011-08-09 2015-06-23 CloudPassage, Inc. Systems and methods for implementing security in a cloud computing environment
US9124640B2 (en) 2011-08-09 2015-09-01 CloudPassage, Inc. Systems and methods for implementing computer security
US20130191497A1 (en) * 2012-01-25 2013-07-25 International Business Machines Corporation Storage and Transmission of Log Data In a Networked System
US20140095648A1 (en) * 2012-01-25 2014-04-03 International Business Machines Corporation Storage and Transmission of Log Data In a Networked System
US9392003B2 (en) * 2012-08-23 2016-07-12 Raytheon Foreground Security, Inc. Internet security cyber threat reporting system and method
US9258321B2 (en) 2012-08-23 2016-02-09 Raytheon Foreground Security, Inc. Automated internet threat detection and mitigation system and associated methods
US20140259170A1 (en) * 2012-08-23 2014-09-11 Foreground Security Internet Security Cyber Threat Reporting System and Method
US9535981B2 (en) * 2013-07-15 2017-01-03 Netapp, Inc. Systems and methods for filtering low utility value messages from system logs
US20150019512A1 (en) * 2013-07-15 2015-01-15 Netapp, Inc. Systems and methods for filtering low utility value messages from system logs
US20160117196A1 (en) * 2013-07-31 2016-04-28 Hewlett-Packard Development Company, L.P. Log analysis
US9176693B2 (en) * 2013-10-31 2015-11-03 Kyocera Document Solutions Inc. Electronic device that automatically registers alternative user operation
US20150116777A1 (en) * 2013-10-31 2015-04-30 Kyocera Document Solutions Inc. Electronic Device That Automatically Registers Alternative User Operation
US20150264048A1 (en) * 2014-03-14 2015-09-17 Sony Corporation Information processing apparatus, information processing method, and recording medium
US20150379008A1 (en) * 2014-06-25 2015-12-31 International Business Machines Corporation Maximizing the information content of system logs
US9665625B2 (en) * 2014-06-25 2017-05-30 International Business Machines Corporation Maximizing the information content of system logs
US10341458B2 (en) * 2014-06-30 2019-07-02 EMC IP Holding Company LLC Predicting a sub-set of resources to be migrated to a new location based on a mobile device's interactions with resources at a first location and a predicted period of time the mobile device is to be in the new location
CN104468222A (en) * 2014-12-15 2015-03-25 北京奇虎科技有限公司 Method, device and system for reporting log information
US9948585B2 (en) * 2015-05-01 2018-04-17 Cirius Messaging Inc. Split-architecture message processing system
US20160323216A1 (en) * 2015-05-01 2016-11-03 Cirius Messaging Inc. Split-architecture message processing system
US11843585B2 (en) * 2016-01-08 2023-12-12 Moneygram International, Inc. Systems and method for providing a data security service
US20170201495A1 (en) * 2016-01-08 2017-07-13 Moneygram International, Inc. Systems and method for providing a data security service
US20220158984A1 (en) * 2016-01-08 2022-05-19 Moneygram International, Inc. Systems and method for providing a data security service
US10616187B2 (en) * 2016-01-08 2020-04-07 Moneygram International, Inc. Systems and method for providing a data security service
US20240163263A1 (en) * 2016-01-08 2024-05-16 Moneygram International, Inc. Systems and method for providing a data security service
US9992175B2 (en) * 2016-01-08 2018-06-05 Moneygram International, Inc. Systems and method for providing a data security service
US20180248854A1 (en) * 2016-01-08 2018-08-30 Moneygram International, Inc. Systems and method for providing a data security service
US11159496B2 (en) * 2016-01-08 2021-10-26 Moneygram International, Inc. Systems and method for providing a data security service
US9973600B2 (en) 2016-05-04 2018-05-15 Secureworks Corp. System and methods for scalable packet inspection in cloud computing
US10110589B2 (en) 2016-07-07 2018-10-23 Secureworks Corp. Systems and methods for task access behavior based site security
CN107918621A (en) * 2016-10-10 2018-04-17 阿里巴巴集团控股有限公司 Daily record data processing method, device and operation system
US11665201B2 (en) 2016-11-28 2023-05-30 Secureworks Corp. Computer implemented system and method, and computer program product for reversibly remediating a security risk
US10841337B2 (en) 2016-11-28 2020-11-17 Secureworks Corp. Computer implemented system and method, and computer program product for reversibly remediating a security risk
CN109308247A (en) * 2017-07-27 2019-02-05 东软集团股份有限公司 A kind of log processing method, device, equipment and a kind of network equipment
CN109308247B (en) * 2017-07-27 2023-02-03 东软集团股份有限公司 Log processing method, device and equipment and network equipment
US10735470B2 (en) 2017-11-06 2020-08-04 Secureworks Corp. Systems and methods for sharing, distributing, or accessing security data and/or security applications, models, or analytics
US11632398B2 (en) 2017-11-06 2023-04-18 Secureworks Corp. Systems and methods for sharing, distributing, or accessing security data and/or security applications, models, or analytics
US10594713B2 (en) 2017-11-10 2020-03-17 Secureworks Corp. Systems and methods for secure propagation of statistical models within threat intelligence communities
US20190146863A1 (en) * 2017-11-14 2019-05-16 Sap Se Message Handling Related to Non-Parallelizable Functionality
US10565044B2 (en) * 2017-11-14 2020-02-18 Sap Se Message handling related to non-parallelizable functionality
US11003718B2 (en) 2018-06-12 2021-05-11 Secureworks Corp. Systems and methods for enabling a global aggregated search, while allowing configurable client anonymity
US11044263B2 (en) 2018-06-12 2021-06-22 Secureworks Corp. Systems and methods for threat discovery across distinct organizations
US10785238B2 (en) 2018-06-12 2020-09-22 Secureworks Corp. Systems and methods for threat discovery across distinct organizations
US11310268B2 (en) 2019-05-06 2022-04-19 Secureworks Corp. Systems and methods using computer vision and machine learning for detection of malicious actions
US11418524B2 (en) 2019-05-07 2022-08-16 SecureworksCorp. Systems and methods of hierarchical behavior activity modeling and detection for systems-level security
US11381589B2 (en) 2019-10-11 2022-07-05 Secureworks Corp. Systems and methods for distributed extended common vulnerabilities and exposures data management
US11522877B2 (en) 2019-12-16 2022-12-06 Secureworks Corp. Systems and methods for identifying malicious actors or activities
US11855837B2 (en) * 2020-06-30 2023-12-26 Hewlett Packard Enterprise Development Lp Adaptive time window-based log message deduplication
US11588834B2 (en) 2020-09-03 2023-02-21 Secureworks Corp. Systems and methods for identifying attack patterns or suspicious activity in client networks
CN112882808B (en) * 2021-02-08 2023-10-24 上海弘积信息科技有限公司 Method for collecting and transmitting big data audit log of application delivery equipment
CN112882808A (en) * 2021-02-08 2021-06-01 上海弘积信息科技有限公司 Method for collecting and sending big data audit log of application delivery equipment
US11528294B2 (en) 2021-02-18 2022-12-13 SecureworksCorp. Systems and methods for automated threat detection
CN113472808B (en) * 2021-07-16 2023-07-14 浙江大华技术股份有限公司 Log processing method and device, storage medium and electronic device
CN113472808A (en) * 2021-07-16 2021-10-01 浙江大华技术股份有限公司 Log processing method and device, storage medium and electronic device
US12034751B2 (en) 2021-10-01 2024-07-09 Secureworks Corp. Systems and methods for detecting malicious hands-on-keyboard activity via machine learning
US20230156080A1 (en) * 2021-11-18 2023-05-18 International Business Machines Corporation Prioritizing data replication packets in cloud environment
US11917004B2 (en) * 2021-11-18 2024-02-27 International Business Machines Corporation Prioritizing data replication packets in cloud environment
US12015623B2 (en) 2022-06-24 2024-06-18 Secureworks Corp. Systems and methods for consensus driven threat intelligence

Similar Documents

Publication Publication Date Title
US8407335B1 (en) Log message archiving and processing using a remote internet infrastructure
US8156553B1 (en) Systems and methods for correlating log messages into actionable security incidents and managing human responses
US8079081B1 (en) Systems and methods for automated log event normalization using three-staged regular expressions
US11277446B2 (en) Event integration frameworks
US11558407B2 (en) Enterprise policy tracking with security incident integration
US11341092B2 (en) Method and system for applying data retention policies in a computing platform
TWI434190B (en) Storing log data efficiently while supporting querying to assist in computer network security
US8280844B2 (en) Anomalous activity detection
US20210006642A1 (en) Activation of performance monitoring component of network protocol based on network metrics
US8578393B1 (en) Log message collection employing on-demand loading of message translation libraries
US10491403B2 (en) Data loss prevention with key usage limit enforcement
US7653633B2 (en) Log collection, structuring and processing
AU2006315555B2 (en) Log collection, structuring and processing
US11997187B2 (en) Anonymized storage of monitoring data
US20150163199A1 (en) Systems and methods for integrating cloud services with information management systems
WO2014053313A1 (en) Data logs management in a multi-client architecture
CN113162943B (en) Method and system for dynamically managing firewall policy
US20180349983A9 (en) A system for periodically updating backings for resource requests
WO2022018554A1 (en) Dynamically determining trust level of end-to-end link
CN110086789B (en) Data transmission method, device, equipment and medium
US10013237B2 (en) Automated approval
CN109254893B (en) Service data auditing method, device, server and storage medium
US8074267B1 (en) Computer communications monitor
KR101641306B1 (en) Apparatus and method of monitoring server
CN113242255B (en) Intelligent flow analysis method and system based on enterprise security

Legal Events

Date Code Title Description
AS Assignment

Owner name: ALERT LOGIC, INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHURCH, CHRISTOPHER A.;FISHER, PAUL;GOLOVINSKY, EUGENE;AND OTHERS;REEL/FRAME:021472/0898

Effective date: 20080609

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SQUARE 1 BANK, AS AGENT, NORTH CAROLINA

Free format text: SECURITY INTEREST;ASSIGNOR:ALERT LOGIC, INC.;REEL/FRAME:035879/0193

Effective date: 20140604

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: PACIFIC WESTERN BANK, NORTH CAROLINA

Free format text: SECURITY INTEREST;ASSIGNOR:ALERT LOGIC, INC.;REEL/FRAME:042702/0659

Effective date: 20170601

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: ALERT LOGIC, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:PACIFIC WESTERN BANK;REEL/FRAME:059392/0524

Effective date: 20220324

AS Assignment

Owner name: JEFFERIES FINANCE LLC, AS COLLATERAL AGENT, NEW YORK

Free format text: FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:ALERT LOGIC, INC.;REEL/FRAME:060306/0555

Effective date: 20220603

Owner name: GOLUB CAPITAL MARKETS LLC, AS COLLATERAL AGENT, ILLINOIS

Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:ALERT LOGIC, INC.;REEL/FRAME:060306/0758

Effective date: 20220603

FEPP Fee payment procedure

Free format text: 11.5 YR SURCHARGE- LATE PMT W/IN 6 MO, LARGE ENTITY (ORIGINAL EVENT CODE: M1556); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12